The Law and Medical Privacy

Many laws regulate the privacy of medical information. Although they offer some protection, on the whole they operate more for the benefit of ensuring the flow of information throughout the health care industry than ensuring the privacy of individuals.

Also, these laws usually only apply to personal medical information in the hands of specific types of entities, like your doctor or other health care entity. Thus, for instance, information you give to a social network or search engine, a chat room or website discussion about a disease, is often not protected by existing medical privacy laws.

In addition, there are numerous exceptions for disclosure of medical information without your consent, which can also mean without your knowledge.

The requirement for written consent to disclose mental health and substance abuse treatment information applies only at federally funded facilities, not at private ones.

Personal medical information is disclosed without consent for many permitted and mandatory public health reporting purposes, like disease monitoring and in cases of child and elder abuse and domestic violence.

Health information may be disclosed in judicial and administrative proceedings by subpoena or as part of a discovery process in litigation.

There are exceptions for law enforcement, for health information requested by subpoena or court order, or as part of an investigation or reporting of a crime.

Disclosures are permitted for specialized government functions, including national security and intelligence operations.

Health information may be disclosed to an employer who pays for employees’ health coverage, but it must be strictly segregated from all other employee records.

Personal health information can’t be sold without your consent, subject to exceptions involving public health, research, or as part of the sale, transfer, merger or consolidation of the covered entity that has the data.

Inmates’ non-prison health information may be disclosed to a prison where they are incarcerated.

Personal health information may be disclosed if you apply for a public benefit.

Health information may be disclosed in the process of applying for worker’s compensation.

The portion of HIPAA that deals with information privacy is called the Privacy Rule. It authorizes broad, unconsented disclosures of personal health data for treatment, payment, and routine health care operations, while requiring written consent for information considered sensitive, like outpatient psychotherapy notes. Your consent is also necessary for your health information to be used for any kind of marketing other than prescription drug reminders.

You do have some rights under HIPAA. You have the right to be notified what your rights are concerning your own medical information. You also have the right to access and receive copies of your records, request corrections, and be notified of data breaches. Information about treatments that you pay for out of pocket may not be disclosed to insurers. Currently you can only learn to whom your health information has been disclosed for purposes other than treatment, payment, and health care operations.

Federal regulations that are stricter than HIPAA—known as "Part 2" [pdf]—apply to the disclosure and use of alcohol and drug abuse patient records maintained in connection with the performance of any federally assisted alcohol and drug abuse program.

The Common Rule applies to federally funded research on human subjects; private research institutions may voluntarily agree to comply with federal standards. Among other things, the Common Rule sets out explicit standards for informed consent by research subjects, although an ethics board may waive these requirements. How far written consent by a research subject extends is muddled; the consent can be either for a specific project or broad enough to include a range of future research projects, as long as the subject is “adequately” informed about such future research.

California-Specific Laws

California’s medical privacy laws, primarily the Confidentiality of Medical Information Act (CMIA), the data breach sections of the Civil Code, and sections of the Health and Safety Code, provide HIPAA-like protections although the terminology is different. HIPAA creates a federal "floor" and applies where there is a gap in California law. HIPAA also expressly provides that more stringent state laws will override or trump HIPAA.

California law is stronger in requiring authorization for disclosure of data about STDs (although positive AIDS tests must be reported), substance abuse treatment, and outpatient psychotherapy notes.

Federal law grants no individual right to sue in the event of a data breach (only an attorney general may bring an action), but California law does.

This means that California law sets a higher standard for medical privacy, and individuals in California enjoy stronger legal protections and more ways to hold entities that violate their medical privacy accountable.

Other California laws that give some additional protection to medical information:

The Insurance Information and Privacy Protection Act (IPPA)prohibits unauthorized disclosure of personal information, including medical records, collected in connection with insurance applications and claims resolution. Insurers must give you a notice of privacy practices that tells you with whom your information may be shared and your rights to restrict sharing.

The Information Practices Act (IPA) applies to state agencies. It limits their collection, maintenance, and distribution of personal information, which includes medical information. It also gives individuals the right to review personal information held in state agency records, to find out who has accessed it, and to request changes to inaccurate or irrelevant information.

The Online Privacy Protection Act applies to websites that collect personally identifiable information of any kind, including medical information. "Protection" is a misnomer here, since the act's primary requirement is that the websites "conspicuously" post a privacy policy that notifies users what data the site collects and with whom it shares data. Read more.

Because the regulations that cover health information are directed more at who handles the data (covered entities) than at the data itself, medical data that lands outside the walls of HIPAA and other related laws generally has no specific medical privacy protections.

A great deal of exposure comes from individuals’ online activities. This can include information you make public yourself through chat or participation in affinity groups based on diseases or medical conditions, or through social media. This is an increasingly serious issue as technology makes it easier for individuals to share and store medical information.

Many health and fitness applications (mobile and online) also collect medical or medical-like data and facilitate and encourage sharing it.

If you care about maintaining privacy over medical records and prescriptions, this was not a good year.
Both the California Supreme Court and the U.S. Ninth Circuit Court of Appeals issued disappointing decisions that declined to recognize a significant privacy interest in prescription records. In California, the state’s high court...

Privacy issues are moving under our skin—now the devices that keep us alive and healthy can also be used against us in the court of law. What happens when privacy violations are committed by devices inside of us, devices that we can’t just turn off via settings? “EFF is concerned...

In one of the darkest chapters in medical ethics, the United States government ran an experiment from the 1930s to the 1970s in which it withheld treatment and medical information from rural African-American men suffering from syphilis. The public uproar generated by the Tuskegee Syphilis Study eventually resulted in...

San Francisco—The Electronic Frontier Foundation (EFF) is urging the California Supreme Court to rule that law enforcement agents need a warrant to search records revealing which Californians were prescribed controlled substances to treat conditions such as anxiety, pain, attention disorders, and insomnia. In an amicus brief filed today...